Is 0x7466/bw-cli safe?

https://github.com/openclaw/skills/tree/main/skills/0x7466/bw-cli

90
SAFE

This is a legitimate and well-structured reference skill for the Bitwarden CLI password manager. It contains no malicious code, no prompt injection attempts, and no exfiltration mechanisms. The primary concerns are inherent to the domain: it documents sensitive operations (plaintext password storage, vault export, credential retrieval) that could be misused if an agent executes them without explicit user confirmation. Installation monitoring showed clean behavior with no unexpected network connections, process spawning, or canary file access.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

MEDIUM Plaintext master password storage pattern -10

The skill instructs storing BW_PASSWORD in a plaintext file at ~/.openclaw/workspace/.secrets and auto-sourcing it in ~/.bashrc or ~/.zshrc. While chmod 600 is applied and .gitignore is set, this places the master password in a persistent plaintext file and loads it into every shell session's environment variables.

LOW Vault export in plaintext documented without warnings -3

The skill documents bw export in CSV and JSON formats which dump the entire vault in plaintext. While legitimate, an agent following these instructions without user confirmation could inadvertently export all credentials to disk.

LOW Local REST API server command documented -2

The bw serve command starts a local REST API on port 8087. The --disable-origin-protection flag is documented. If an agent runs this, other local processes could access the vault without authentication.

LOW Shell config modification instructions -10

The skill instructs the agent to append source commands to ~/.bashrc and ~/.zshrc. While legitimate for the use case, modifying shell configuration files is a sensitive operation that should require explicit user consent.

INFO Global npm package installation suggested -5

The skill suggests npm install -g @bitwarden/cli. This is the official Bitwarden CLI package from npm, but global npm installs can execute postinstall scripts with user privileges.

INFO Comprehensive destructive operations documented -25

The skill documents permanent deletion (bw delete --permanent), vault export, and credential retrieval — all legitimate but high-impact operations. An agent could execute these without sufficient user confirmation if not carefully prompted.